Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-32163 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | β | 0 |
| CVE-2026-32164 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | β | 0 |
| CVE-2026-32165 Use after free in Windows User Interface Core allows an authorized attacker to elevate privileges locally. | 7.8 | HIGH | β | 0 |
| CVE-2026-32181 Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-32195 Stack-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. | 7.0 | HIGH | β | 0 |
| CVE-2026-33877 ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/re... | 3.7 | LOW | β | 0 |
| CVE-2026-34943 Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34944 Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, On x86-64 platforms with SSE3 disabled Wasmtime's compilation of the f64x2.splat WebAssembly instruction with Cranel... | 5.7 | MEDIUM | β | 0 |
| CVE-2026-34945 Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a bug where a 64-bit table, part of the memory64 proposal of WebAssembly, in... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-34946 Wasmtime is a runtime for WebAssembly. From 25.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's Winch compiler contains a vulnerability where the compilation of the table.fill instruction can resu... | 7.5 | HIGH | β | 0 |
| CVE-2026-40159 PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAIβs MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., ... | 5.5 | MEDIUM | β | 0 |
| CVE-2024-23104 An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-53847 A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-61848 An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.... | 7.2 | HIGH | β | 0 |
| CVE-2026-21741 An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may al... | 2.4 | LOW | β | 0 |
| CVE-2026-39815 A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or comm... | 8.8 | HIGH | β | 0 |
| CVE-2026-23778 Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13... | 7.2 | HIGH | β | 0 |
| CVE-2026-28212 Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared struc... | 7.5 | HIGH | β | 0 |
| CVE-2026-6437 Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 allows remote authenticated users with PersistentVolume creatio... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-31927 Anviz CX7 FirmwareΒ is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debu... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-40480 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization... | N/A | NONE | β | 0 |
| CVE-2026-40484 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directo... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-40485 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-40582 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypa... | N/A | NONE | β | 0 |
| CVE-2026-40593 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying... | 4.8 | MEDIUM | β | 0 |
| CVE-2026-40490 The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), version... | 6.8 | MEDIUM | β | 0 |
| CVE-2026-40491 gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-39851 Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in erro... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-26149 Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network. | 9.0 | CRITICAL | β | 0 |
| CVE-2026-30624 Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration contain... | 8.6 | HIGH | β | 0 |
| CVE-2025-41118 Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent C... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-21727 --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" ... | 3.3 | LOW | β | 0 |
| CVE-2026-3219 pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as inst... | N/A | NONE | β | 0 |
| CVE-2026-5478 The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files d... | 8.1 | HIGH | β | 0 |
| CVE-2026-6576 A vulnerability was determined in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function CommandHandler of the file servermanager/api/commonapi.py of the component WeChat Bot Inte... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-6577 A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulatio... | 7.3 | HIGH | β | 0 |
| CVE-2026-6578 A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of ... | 5.6 | MEDIUM | β | 0 |
| CVE-2026-6579 A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing au... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-6580 A security vulnerability has been detected in liangliangyy DjangoBlog up to 2.1.0.0. Affected is an unknown function of the file owntracks/views.py of the component Amap API Call Handler. Such manipul... | 7.3 | HIGH | β | 0 |
| CVE-2026-6584 A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoin... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-6587 A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_mo... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-6597 A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow... | 2.7 | LOW | β | 0 |
| CVE-2026-6599 A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of ... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-6600 A flaw has been found in langflow-ai langflow up to 1.8.3. This affects an unknown function of the file src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit-message.tsx of t... | 3.5 | LOW | β | 0 |
| CVE-2026-6601 A vulnerability has been found in Lagom WHMCS Template up to 2.4.2. This impacts an unknown function of the component Datatables. The manipulation leads to resource consumption. Remote exploitation of... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-6602 A vulnerability was found in rickxy Hospital Management System up to 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Affected is an unknown function of the file /backend/admin/his_admin_account.php. The man... | 7.3 | HIGH | β | 0 |
| CVE-2026-6603 A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function execute_python_code/execute_shell_command of the file src/AgentScope/tool/_coding/_... | 7.3 | HIGH | β | 0 |
| CVE-2026-6604 A vulnerability was identified in modelscope agentscope up to 1.0.18. Affected by this issue is the function _parse_url/prepare_image/openai_audio_to_text of the file src/agentscope/tool/_multi_modali... | 7.3 | HIGH | β | 0 |
| CVE-2026-6614 A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superag... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-6615 A weakness has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function Upload of the file superagi/controllers/resources.py of the component Multipart Uploa... | 7.3 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.